You can add extra zeroes. XSS bypass on a private bug bounty program

2 min readSep 30


Hi incredible hackers. I got a private invite, and got curious about the program, so I signed up into the main website and started clicking around and using all functions.

I found this endpoint in which the value of “name” parameter was reflecting inside the “iframe” tag.

Fortunately the " character wasn’t being encoded, so I was able to get out of the src.


( and ` characters were not allowed and causing a 403 error.

test" onload=alert(origin) --> 403
test" onload=print`` --> 403
test" onload=alert origin) --> 200

I played with it for a few minutes, but I couldn’t exploit it.


I texted my buddy 0xrz who is a true monster when it comes to hacking.

I sent him the endpoint and…



" onload=alert&#0000000040origin) value="

He told me what is going on here, and I’m writing it down here.

But this payload was giving us a 403 page again, and it wasn’t a bypass in this case.

  • You can add extra zeroes after &# and it will be treated as &#40 which is (. Isn’t JS amazing?

Report & Bounty:

Make sure that you follow 0xrz:

Reach me at: